{"id":50714,"date":"2016-06-16T16:35:23","date_gmt":"2016-06-16T23:35:23","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=50714"},"modified":"2025-06-02T20:44:16","modified_gmt":"2025-06-03T03:44:16","slug":"microsofts-june-patch-kills-potential-cfg-bypass","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/microsofts-june-patch-kills-potential-cfg-bypass\/","title":{"rendered":"Microsoft\u2019s June Patch Kills Potential CFG Bypass"},"content":{"rendered":"

After applying Microsoft\u2019s June patch, we noticed some interesting changes that prevent a security bypass of Windows\u2019 Control Flow Guard (CFG). The changes are in the Shader<\/a> JIT compiler of the Windows Advanced Rasterization Platform (WARP<\/a>) module (d3d10warp.dll). The Shader JIT compiler could formerly be used to create a CFG bypass. CFG is known to have problems with dynamic code, such as that created by JavaScript JIT and ActionScript JIT compilers. With this update, CFG becomes more robust, and especially more resistant to bypass attacks involving JIT techniques.<\/p>\n

WARP is a software-based rasterizer that contains a high-performance JIT code generator<\/a> which can convert High-Level Shader Language byte code to optimized native machine code (SSE, x86\/x64). Moreover, WARP is accessible in the context of the browser by defining Shaders with WebGL (JavaScript-based API), so WARP can be easily employed in browser-based exploit development.<\/p>\n

The changes were made in a function that is related to WARP Shader JIT code page protection. This particular fix uses new operating system features\u2014 VirtualAlloc with the \u201cPAGE_TARGETS_INVALID\u201d flag and the SetProcessValidCallTargets API\u2014to make sure only the starting address of a Shader JIT function is the valid call target. (We will demonstrate this later through a live debugging session.)<\/p>\n

\"20160616<\/a><\/p>\n

\"20160616<\/a><\/p>\n

A look at live debugging before the June Patch (d3d10warp.dll v10.0.10586.0):<\/p>\n

\"20160616<\/a><\/p>\n

Live debugging after the June Patch (d3d10warp.dll v10.0.10586.420):<\/p>\n

\"20160616<\/a><\/p>\n

From the preceding screens, we can clearly see that after applying the June patch most bits on the CFG map corresponding to the Shader JIT code block are cleared except for the first (corresponding to the JIT function entry point), which indicates the function entry is the only valid call target and jumping to any other place will be caught by a CFG check.<\/p>\n

More About Warp Shader JIT Mechanism<\/h2>\n

Looking even deeper into the WARP Shader JIT mechanism, we found some other interesting facts:<\/p>\n